git: abdc47cd6969 - stable/13 - bhyve: Fix a buffer overread in the PCI hda device model.

From: John Baldwin <jhb_at_FreeBSD.org>
Date: Thu, 26 Jan 2023 22:35:10 UTC
The branch stable/13 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=abdc47cd6969a649ee7b4bec0efe0d51bc95dfdb

commit abdc47cd6969a649ee7b4bec0efe0d51bc95dfdb
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2023-01-20 17:58:38 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2023-01-26 22:29:06 +0000

    bhyve: Fix a buffer overread in the PCI hda device model.
    
    The sc->codecs array contains HDA_CODEC_MAX (15) entries.  The
    guest-supplied cad field in the verb provided to hda_send_command is a
    4-bit field that was used as an index into sc->codecs without any
    bounds checking.  The highest value (15) would overflow the array.
    
    Other uses of sc->codecs in the device model used sc->codecs_no to
    determine which array indices have been initialized, so use a similar
    check to reject requests for uninitialized or invalid cad indices in
    hda_send_command.
    
    PR:             264582
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    Reviewed by:    corvink, markj, emaste
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D38128
    
    (cherry picked from commit cf57f20edcf9c75f0f9f1ac1c44729184970b9d9)
---
 usr.sbin/bhyve/pci_hda.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/usr.sbin/bhyve/pci_hda.c b/usr.sbin/bhyve/pci_hda.c
index bb8fba1a54bb..9e9d7ab5a626 100644
--- a/usr.sbin/bhyve/pci_hda.c
+++ b/usr.sbin/bhyve/pci_hda.c
@@ -475,12 +475,14 @@ hda_send_command(struct hda_softc *sc, uint32_t verb)
 	struct hda_codec_class *codec = NULL;
 	uint8_t cad = (verb >> HDA_CMD_CAD_SHIFT) & 0x0f;
 
-	hci = sc->codecs[cad];
-	if (!hci)
+	if (cad >= sc->codecs_no)
 		return (-1);
 
 	DPRINTF("cad: 0x%x verb: 0x%x", cad, verb);
 
+	hci = sc->codecs[cad];
+	assert(hci);
+
 	codec = hci->codec;
 	assert(codec);